I am
available
for comment, consultation, expert testimony, and lectures on electronic
vote tabulation, and can be contacted via the information at
the top of this page. Members of the press and researchers
seeking interviews and quotation permissions may find it helpful to
look
at the guidelines posted here. I
would appreciate it greatly if calls can be limited to the hours of
10AM
- 6PM, U.S. Eastern Time, weekdays.

Follow links
to full text of papers and articles. Papers not linked may be available
on request. As this website is rather long, I've highlighted certain
"must read" papers and articles using red asterisks (*). For a good overview of the subject, search
for these first and read the text at their adjacent links.

Statement

I am
adamantly
opposed to the use of fully electronic or Internet-based systems for
use in anonymous balloting and vote tabulation applications. The
reasons
for my opposition are manyfold, and are expressed in my writings as
well as those of other well-respected computer security experts.

At the
present time,
it is my strong recommendation that all election officials REFRAIN from
procuring ANY system that does not provide an indisputable, voter
verified paper ballot.

Communities
have gradually discovered that manually prepared paper balloting
systems, augmented with assistive paper ballot-marking devices for use
by the disabled and those with literacy and language issues, can
typically be procured and maintained for considerably less than half of
the price for a Direct Recording Electronic (DRE) with touch-screen or
push-button input, or DRE/VVPAT (DRE with ballot-printer) system.
Ballot-marking devices do not need to be
electronic or computer-based. Opscan-style ballots can (and should) be
entirely
hand-counted. Paper ballots increase voter confidence by offering the
best in terms of reliability, usability and recountability, as well as
being highly cost-effective.

Since 2003,
because of unresolvable problems with the implementation and deployment
of the DRE/VVPAT systems, and the difficulties experienced in using the
VVPATs in recounts, I have recommended AGAINST the purchase of these
devices.

A detailed
explanation of these points, along with my suggestions regarding the
selection of appropriate voting equipment, is provided in the full text
of this statement, available *here*.

National
Popular Vote (NPV) legislation has been creeping into state after
state. Fot those of you who don't know what it is, NPV, when fully
enacted, would MANDATE that states cast their electoral votes, NOT how
the voters of those states intended, but rather to the winner of the
NATIONAL popular vote. Yup, YOUR electors would be REQUIRED to cast
their Presidential votes to the AGGREGATE US highest vote-getter,
REGARDLESS of who the winner was in the state itself. I can't imagine
how this could even remotely be deemed Constitutional (remember the
concept of States' Rights?) but it would likely take a team of
Harvard-educated lawyers to argue this point before the U.S. Supreme
Court. If enough states (they only need a total of 270 electors) are
stupid enough
to allow
their legislatures to pass the bill and their Governors sign it, then
we're ALL hosed, even if your own state doesn't sign on.

Here's what it really means and why it's on my evoting website --
states that have unauditable voting will be incentivised to increase
their bogus vote totals for President well beyond what they need to do
to win their own state, enough so that they can shift the national
total to the candidate of their choice! This is no problem for places
like Ohio, where observed variations in the number of persons who sign
the polling book from the number of ballots recorded on the machines,
in over 80% of precincts, is somehow considered "normal" -- or in
Florida where the citizens vote on paper ballots read by
optical scanners but prohibited from review via manual
recounts. Basically, if NPV becomes law, then the Crooks
are in Control for sure. To find out the status of NPV in your
state, check http://www.saveourstates.com
-- if it does not say "enacted" yet, then let your State Senator, State
Representative and Governor all know RIGHT AWAY that this is a HORRIBLE
idea that should not become law.

Danger to Democracy #2

The same group that
has been
promoting NPV is also hawking Instant Runoff Voting (IRV). Certainly
not coincidentally, the key founder of the organization behind both of
these absurdities is none other than John "the spoiler" Anderson. IRV
is getting a foothold with naieve communities who would like to believe
the snake oil salesmen's claims that by making the voting selection
process harder (not easier) this somehow further enfranchises
beleaguered minority groups and third party candidates. The reason why
I'm mentioning IRV here is again because of the voting machines. Heck,
we can't even prove that these devices (whether DREs or scanners) are
adding 1+1=2 properly. It's all a trade secret and we're not allowed to
check the algorithms. How can we ever hope to verify that the
complicated math needed to generate the IRV totals has been programmed
and
implemented
correctly? If you find yourself in a conversation with anyone
supporting IRV, just ask them to show you ON PAPER how to tally the
election and then watch them squirm. Make sure your municipality,
county, and state does not fall for IRV. For more on how to help oppose
IRV, check outhttp://www.instantrunoffvoting.us
.

Danger to Democracy #3

Perhaps because Americans are considered to be
notoriously lazy, our election officials would rather find excuses for
not hand-counting all of the ballots in order to verify the results
produced by the computers. Of course, the reasons given for not
checking the totals at each precinct (before the ballots are removed
and have a chance to mysteriously wander away) are often ones of cost
or expedience. As it turns out, a small team of vote counters (perhaps
drafted as for jury duty), using a simple bin (not binary) method
should be able to hand-tabulate all but the most complex ballots in
time for the 11 o'clock news (assuming that the polls close at 8PM).
(For the computer scientists, it helps to recall that a bin sort is
O(n).) Of course there are plenty of mathematics wonks, and even a few
Congressfolk, who would like us to believe that a random percentage
audit is all that is necessary to confirm the electronic tallies. This
is provably untrue. Even so, such formulas require that increasing
percentages be audited if anomalies are detected, so you might as well
just count all the ballots from the get-go to avoid the further hassle.
For a detailed explanation of why partial audits don't work, see my
post on the CNET Defensive Computing blog at http://news.cnet.com/8301-13554_3-9876062-33.html
. Oh, and if someone tells you that if people touch the ballots they'll
change the votes, just explain that page feeders could be used with
opaque projectors to display the papers without human handling.

Voter Verified Paper Ballots -- An
Informational Brochure:

An
explanatory brochure has been prepared in response to the myths and
misinformation that are currently being circulated by those who are
opposed to independent election auditing. "Facts About
Voter Verified Paper Ballots" can be downloaded, printed on
double-sided paper, and freely distributed (if in its entirety and
unedited).Although DREs with
VVPBs are an improvement over DREs without them, because of numerous
issues related to the construction and use of VVPBs (some of which are
noted below), since 2003 I have recommended AGAINST the purchase of
these devices. Ballots should be prepared on paper (not computers) and
counted from the paper (preferably by humans).

The
Act that did not help
America Vote:

The 2002
Help America Vote Act (HAVA) legislation authorized $3.8B in
federal spending, with a substantial portion of these funds allocated
to US states and territories for the purpose of replacing their punch
card and lever voting machines and making voting systems accessible to
the disabled. To obtain the money, an implementation plan had to
be submitted to the Election Assistance Commission by January
1, 2004. States were NOT required to purchase fully computerized
voting systems, they could obtain mark-sense (optically scanned)
products that use paper, but in order to receive certain of the
equipment funds, the
plan had to indicate that the state would replace all of its lever and
punch card machines by the first election for Federal office held after
January 1, 2006. New York was the only state that decided to retain its
lever
machines.

The
Presidentially appointed 4-member HAVA Election Assistance Commission,
in
addition to approving each of the state plans, was also to be
responsible
for administering a host of other tasks, not the least of which
included
overseeing a 14-member Technical Guidelines Development Committee and a
110-member Standards Board, and making provisions
for "testing, certification, decertification, and recertification
of voting system hardware and software by accredited
laboratories."
The Technical Guidelines Committee was to have produced a set of
recommended
voluntary voting system guidelines nine months after appointment,
and it was understood that these guidelines would be the ones used by
the laboratories in their certification and testing processes.

What
actually occurred was that the members of the HAVA Commission were
appointed nearly a year late and the establishment of HAVA Committees
and Boards were similarly delayed. Thus, the Technical Guidelines were
NOT available by the time that
state implementation plans were due. This resulted in 9
states requesting HAVA extensions, and many others contracting to
purchase voting systems that could not possibly be HAVA compliant,
since no official HAVA standards yet existed. A
further setback occurred at the beginning of 2004, when the National
Institute of Standards and Technologies (NIST) announced that it had to
curtail all work related to HAVA (despite their named role in the
legislation),
due to Federal budget cuts (funds were later reinstated for the
election project).

Those of us
(including myself) who had worked hard for this bill were sorely
disappointed that the most salient aspects of its implementation were
stalled, while initial equipment purchases were allowed to proceed
under grandfathered and obsolete standards. Many municipalities
(including in California, Florida and elsewhere) purchased voting
equipment that subsequently had to be replaced due to non-compliance,
system failures, and security and auditability concerns. It has taken
years to only partially unwind the many problems caused by the feeding
frenzy generated by overzealous voting system vendors seeking the HAVA
funds, fueled by gullible election officials who were intimidated into
doling
the money out for products that were not yet ready for prime time. Some
of this unnecessary waste of funds could have been avoided, had
Congress merely extended the HAVA deadlines, or had the appointments
and work proceeded on schedule.

But
vendors said their voting machines were certified:

U.S.
voting
systems, beginning in 1990, have been certified under a system
originally established by the
Federal Election Commission (FEC) and a private group, the National
Association of State Election Directors (NASED). Testing fees are paid,
by the vendors, to
certain qualified Independent Testing Authorities and examinations are
conducted secretly without any results (other than a final passed
status) issued publicly. This certification was, at first, based on the
FEC guidelines adopted by only 37 of the states and criticized by
technologists as flawed. (See my detailed comment The FEC Proposed Voting Systems Standard
Update.) According to their website, even "the FEC
recognizes that the Help Americans [sic] Vote Act of 2002 will
fundamentally
alter the long term application of the Standards, including
testing." Some problems with the FEC standard included the lack
of a requirement
that vote tallies be independently auditable, the allowance of
trade-secret code that may not be able to be inspected should an
election contest
question the proper functionality of a voting system, the use of
commercial software products in balloting and tabulation systems
without
any inspection at all, and no provision for re-examination or
decertification when problems are later identified. Even when
additional state certification inspection has been performed, there may
be no guarantee that any particular system has been appropriately
configured prior to deployment. Revelations that uncertified software
was used in at least two California elections (including the
Gubernatorial recall) led to the mandate that voter verified paper
ballots be added to their fully-electronic voting
systems.

Under HAVA,
the certification program was restructured under the Election
Assistance Commission (EAC) and Thomas Wilkey, the
individual formerly
responsible for this task under NASED, was appointed as the EAC's
Executive Director, where he has continued to perform oversight of the
testing and certification tasks. The EAC generated a new set of
Voluntary Voting System Guidelines, which was approved in December
2005, far too late to have any systems tested and deemed compliant in
time for the 2006 HAVA deadline for replacement of lever and punch card
systems. Though there were some slight improvements, these guidelines
suffered from most of the same problems as did the FEC standard (as
noted above and in my
comment to the EAC). A proposed revision (including
the MIT/NIST-proposed Orwellian concept of Software Independence --
that a voting machine could contain software but somehow be independent
of it) was issued for public comment in 2009 as VVSG 1.1, but portions
were
harshly criticized (including
earlier by myself) and it has not yet been approved.

Internet
voting is risky due to its sociological and technological problems.
Absentee balloting does not provide the safeguards of freedom from
coercion and vote selling that are afforded via local precincts.
Internet voting creates additional problems due to the inability of
service providers to assure that websites are not spoofed, denial of
service attacks do not occur, balloting is recorded accurately and
anonymously, and votes are only cast by the authorized voter themself.
The
government's website warned that "it is the citizen's responsibility to
maintain the latest anti-virus software for their computer" in order to
assure safety, yet they failed to acknowledge the fact that anti-virus
software can only protect against known malware (new ones appear
constantly, and could occur during an election season) and server-based
attacks
are still possible. Certainly citizens overseas should have an
opportunity to vote, but perhaps this could be handled by setting up
remote balloting precincts at the U.S. Embassies, or by creating
bi-partisan
poll-worker teams on military bases?

Back in
2000
when the U.S.
Department of Defense first tried Internet voting they spent $6.2M
so that 84 voters could cast ballots. Subsequently, the DoD
engaged
Accenture, the Bermuda-based consultancy arm of the former Arthur
Andersen
(can we spell Enron?) group at a cost of $22M
to oversee its SERVE project for military personnel and overseas
citizens. Following issuance of an analysis by four computer
scientists who were members of the SERVE Security Peer Review
Group, the Pentagon decided to scrap plans for the use of this
technology to cast ballots in the 2004 Presidential election. But
it's far from gone -- the DoD dabbled with the concept of Internet
voting prior to the 2008 election and was shot down again
by the same scientists on many of the same grounds. We'll likely see
some variation of this project surface again as we near 2012.

Rebecca
Mercuri coined
the phrase in her comment: "Explanation
of Voter-Verified Ballot Systems" in The Risks Digest, ACM
Committee on Computers and Public Policy, Volume 22, Issue 17, July 24,
2002. Mercuri
first addressed this concept in her paper: "Physical
Verifiability of
Computer Systems" presented at the 5th International Computer
Virus
and Security Conference in March 1992, and a more detailed description
appeared in
her Doctoral Dissertation, defended October 27, 2000. An artist's
rendering of a "Mercuri Method" voting system
(they need not be so elaborate) appeared in her October 2002 IEEE
Spectrum article, "A Better Ballot Box."

The earliest description of a "ballot behind glass" was provided by Tom Bensonin The Risks Digest, Volume 2,
Issue 22, March 4, 1986 and elaborated on by Kurt Hyde in
The
Risks Digest, Volume 2, Issue 24, March 8, 1986. The difference between
these methods and Mercuri's involves her requirement for a deliberate
verification step, and also the recognition of the paper ballot as the
authoritative record of the voter's choices (in the event of a dispute,
the paper version would prevail over any electronic data).

This
design concept was deliberately never patented by any of the inventors
so
that it could be freely incorporated into election systems. Shortly
after the November 2000 Presidential election, the Avante company
submitted a patent application that incorporated much of this prior art
(including block diagrams very similar to those displayed at Mercuri's
October 2000 dissertation defense and at a subsequent publicly-attended
ACM talk she presented in November 2000, at the Sarnoff Center,
situated just a few blocks down the road from Avante's offices). Avante
has tried (largely unsuccessfully) to pursue infringement claims
against some of the vendors who have implemented ballot printers.

Note that a "voter verified paper ballot" (VVPB) is not the same as
a "voter verifiable audit trail" (VVAT). Many vendors and some
scientists believe that an audit trail of electronically recorded
ballots can be made secure (possibly through encryption or other
mechanisms), but no such systems have yet been validated through
rigorous mathematical proofs, nor can they be independently confirmed
for correctness by non-technical poll workers, election officials or
ordinary citizens.

A great demonstration showing why electronic audits
and pre-election testing are inadequate
can be viewed at: www.wheresthepaper.org.
Simply adding paper "receipts" as some have proposed, to
the system, is not sufficient.
The voter must be required to perform an action that confirms that
their choices have been recorded correctly on the paper, hence making
it a verifiED (rather than just "verifiABLE") ballot in a legal sense.
The paper ballot must not provide any feature that could be used to
violate voter privacy or encourage coercion and vote selling. These
voter verified paper ballots must be used to produce the certified vote
totals and be available for scrutiny in case of election contest or
recount.

Think
about it:

Scientists had been warning
for years about the devastation that might result from a major
hurricane on the Gulf Coast. But the U.S. Congress failed
to provide $35M to fully fund previously approved projects to build
and improve levees, floodwalls and pumping stations in the Lake
Pontchartrain region. The federal government did (prior to Katrina) allocate
some $37M to Louisiana under the Help America Vote Act, primarily
for the purchase and upgrade of fully electronic voting systems that
provide no mechanism for independently auditing ballots and vote totals.

The Civil
Rights Division of the U.S. Department of Justice issued a memorandum opinion
affirming that voting systems that include contemporaneous paper
records, allowing voters to confirm that their ballots accurately
reflect their choices, do not violate HAVA or ADA laws, so long as a
similar capablility (such as can be provided by audio equipment) is
available
for use. This could include tactile
ballots, an inexpensive (non-computer) alternative for the
visually-impaired that has been used successfully in Rhode Island,
Canada, Peru, and Siera Leone.

Mark your
Calendar:

I
will be conducting a computer forensics seminar/workshop for the
Princeton ACM/IEEE Computer Society on November 13, 2010. One of the
sections of this short-course will overview voting system
investigations. Further information is available at http://princetonacm.acm.org/meetings/mtg1011s.pdf
. Advance registration is required and there is a fee for attendance.

The articles
linked below in my writings section provide an
illustration of the magnitude of problems encountered with electronic
voting equipment
and offer some suggested solutions. My analyses are based on computer
science
and engineering facts, and are not politically motivated. Please try to
read some of the *red starred* materials before contacting me
for further
clarification or assistance.

World Democracies

Election
officials in world democracies often want to believe that the
situations in the USA are dissimilar to those in their own countries.
Although
laws and procedures may be different, the computer introduces universal
vulnerabilities to privacy, accuracy, and security in elections.
All democratic nations should be advised to use caution in their
deployment of new systems, and avoid those products that do not produce
a voter-verified paper audit trail.

The United
Kingdom and other European countries have begun initiatives to convert
all or part of their voting to electronic balloting (kiosk/DREs and/or
Internet-based) systems. Europe appears to be rushing ahead to deploy
computer voting technologies with serious sociological
and technological downsides, such as lack of auditability, and
increased opportunities for vote selling, monitoring, coercion, and
denial of service attacks. During mid-October, 2002 I visited England,
on the invitation of the Foundation for
Information Policy Research, to meet with and brief members of the
UK Cabinet and Parliament regarding this subject, and to provide
technical lectures at the Royal Academy of Engineering and Cambridge
University. My comments to the Cabinet are posted *here.
I also formally submitted an additional
follow-up comment as part of their "In the Service of Democracy"
consultation, which explains why Internet voting is not appropriate for
UK democratic elections. Media coverage of my UK tour can be
found over in my press section.
Information on the electronic voting project in Ireland can be found
at http://www.evoting.cs.may.ie.
Thanks to the unflagging efforts of this group and others (including
myself) who strongly protested the change from paper and pencil voting,
in 2009 it was announced that "the Government has decided not to
proceed with electronic voting in Ireland." Over in the Netherlands,
the Dutch group "We Don't Trust Voting Computers" successfully hacked a
NEDAP voting machine, turning it into a chess-playing device. On
October 1, 2007, the District Court of Amsterdam decertified all NEDAP
voting computers currently in use there. Further information at http://wijvertrouwenstemcomputersniet.nl/English .

The Brazilian
government converted to fully electronic voting in 2000, deploying over
400,000 kiosk-style machines. Although their elections are often
compared to those in the US, they are actually quite different because
the voters cast ballots by using numbers assigned to each candidate
(this is necessary because of a high degree of illiteracy in the
country). Concerns regarding accuracy of the self-auditing systems
caused the legislature to mandate a retrofit of 3% (some 12,000
machines) to produce a paper ballot that the voter could peruse and
deposit in a box for recount (the first large-scale use of the "Mercuri
Method" -- described more fully in "A
Better Ballot Box?"). These paper-trail machines were
successfully used during the October 6, 2002 election, and it is
believed that the rest of their machines will eventually be retrofitted
as well. Further discussion on this subject can be found in the
article: *"The importance of
recounting votes" by Michael Stanton (originally published in
Portuguese as "A importância da recontagem de votos", on
the
website of the Agência O Estado de São Paulo, November
13, 2000). There is also an informative website: Brazilian Electronic Voting Forum
by Amilcar Brunazo Filho.

US Voting Rights Act

In the wake
of
the Florida 2000 election, a number of voting rights bills were
proposed in Congress. On May 22, 2001, the U.S. House of
Representatives Committee on Science convened a Hearing on Improving
Voting Technology: The Role of Standards. I was joined on the
invited panel by Dr. Stephen Ansolabehere (MIT), Mr. Roy Saltman (NIST
- retired), and Dr. Doug Jones (University of Iowa).

These hearings
resulted in House Bill H.R. 2275, the Voting Technology Standards Act
of 2001, issued from the Subcommittee on Environment, Technology, and
Standards on June 27, 2001, which was presented with the bipartisan
co-sponsorship of Congressman Vern Ehlers and Congressman Jim Barcia.
Eventually this bill was incorporated into H.R. 3295, the Help America
Vote Act of 2002. The final version can be
found at http://thomas.loc.gov.
Although
this bill authorized spending of over $4B on new voting systems, it
failed to provide for a voter-verified audit trail, available for
independent recount, of ballots cast. (This is discussed further in the
California section below.) It was hoped that the
related voting system standardization efforts created by the EAC/TGDC,
as authorized by the bill, would provide additional safeguards, but
sadly, the application of these controls has not been universally
mandated in the United States, leaving it up to the states (and in some
cases, municipalities within the states) to decide whether or not paper
ballots should be used or even allowed to be recounted (see Florida below).

Section
15360
requires that there be "a public manual tally of the ballots tabulated
by those devices, including vote by mail voters' ballots, cast in 1
percent of the precincts chosen at random by the elections official."
This section also notes: "In resolving any discrepancy involving a vote
recorded by means of a punchcard voting system or by electronic or
electromechanical vote tabulating devices, the voter verified paper
audit trail shall govern if there is a discrepancy between it and the
electronic record." Curiously, Section 15627 on recounts states: "If in
the election which is to be recounted the votes were recorded by means
of a punchcard voting system or by electronic or electromechanical vote
tabulating devices, the voter who files the declaration requesting the
recount may select whether the recount shall be conducted manually or
by means of the voting system used originally, or both." Section
15629 notes that "The recount shall be conducted publicly" and Section
15630 says that "All ballots, whether voted or not, and
any other relevant material, may be examined as part of any recount
if the voter filing the declaration requesting the recount so
requests." Given all of this, one would think that the paper ballots
(either the original ones that were scanned, or in the case of the
DRE's, the VVPATs) would be consulted in all recounts. Unfortunately,
as
occurred in Nguyen v. Nguyen, Case No. 07CC00407 (2007), Orange County
California Superior Court, the Judge ruled that the Election Code's
allowance for the selection by the voter requesting the recount, means
that the requirement that the VVPAT always trump any discrepancies can
be disregarded if the requestor chooses to use the recount produced "by
means of the voting system used originally." This loophole in the law
will likely be opportunistically exploited again until it is closed.
(Numerous YouTube courtroom videos from my 2 days of testimony in this
matter can be found by using the search string: rebecca mercuri
nguyen.)

As well,
Proposition 41, California's Voting
Modernization Bond Act, passed in 2002, mandates that "a voting
system that does not require a voter to directly mark on the ballot
must produce, at the time the voter votes his or her ballot, or at the
time the polls are closed, a paper version or representation of the
voted ballot; this version shall not be provided to the voter,
but shall be retained by election officials for use during
a manual recount or other recount or contest." The key phrase here is
"or at the time the polls are closed" -- this has been
interpreted
by vendors and election officials to permit the voting system to
self-generate ballot images from the internal data stored by the
computer during the election, for use in public manual tallies or
recounts. Using such systems, the voter has no way to confirm that the
ballot they intended
to cast is identical to the one recorded by the machine. Hence, such
recounts are only procedural in nature, and not truly validatory.
Sadly, the U.S. Congress was similarly vague in their definition of
"manual audit
capacity" in the Help America Vote Act of 2002 (Section 301 a. 2), so
lower
court rulings will play an important role in determining the
implementation of when the "permanent paper record" must be produced
(at the time of voting, or after the election is over).

I have
always maintained that the intention of HAVA, as well as the
California Code, is to allow the voter to view the printed ballot prior
to casting it. Finally, in 2004, California's Secretary of State agreed
(but only after discovering that uncertified software was used in their
Recall and General elections in 2003) with this interpretation. Your
participation
is needed here -- if you are a voter living in a municipality that uses
DREs (with or without VVPATs), request an absentee
ballot prior to the election so that you can cast your vote on paper.
That is the only way you can be assured that a) your vote was submitted
as you
intended and b) the ballot you prepared will be available for a manual
recount. I have been voting absentee since DREs replaced the lever
machines in my County in 2004.

In 2001,
Susan
Marie Weber, a citizen of Riverside County, CA, decided to protest
the use of the recently purchased Sequoia Voting Systems' AVC Edge
System
direct recording electronic (touch-screen) voting machines in her
locality.
She filed a Complaint for
Injunctive and Declaratory Relief against CA Secretary of State
Bill
Jones and Riverside County, CA Registrar of Voters Mischelle Townsend,
under 42 U.S.C. §1983 and the Fourteenth Amendment to the United
States Constitution. This appeared as Case No. CV 01-11159-SVW(RZx)
before the Honorable Stephen V. Wilson in the United States District
Court for the Central District of California. Weber obtained
testimony (at name links here) from experts Rebecca
Mercuri, Peter Neumann
and Kim Alexander. The
Judge
ruled on September 3, 2002 in favor of the State on the basis of
only written testimony without deposition or cross-examination, and
without providing an opportunity to inspect the voting systems in
question (although he criticized
one witness for not having done so, even though it would likely have
been a felony to perform such an examination in the absence of a court
order), and various appeals also failed. The ruling allowed other
California
counties to proceed with their purchases of self-auditing voting
equipment. Despite this ruling, the subsequent Secretary of State,
Kevin Shelley, decided
on November 21, 2003 to require that all computerized voting equipment
be equiped with an accessible voter verified paper trail by July 2006.
The next Secretary of State, Deborah Bowen, decided to conduct a "Top
to Bottom Review" of California's voting systems, which resulted in the
decertification of most of the DREs. Currently only Orange and San
Mateo Counties use DRE with VVPAT. All other Counties in CA use opscan.

California
Proposition 23, the None of the Above Ballot Option, failed to achieve
enough votes to pass in the March 7, 2000 election. The lack of
a "none of the above" choice for each ballot race (in all states)
creates a dubious dark hole for election auditing. Traditionally, when
one totals all votes cast in each race, these fall short of the
total number of votes eligible to be cast (usually by around 3%). The
"lost vote" (also called "undervote" or "residual vote") rate tends
to differ depending on equipment and other factors, but it is often
also an indicator of malfunction or tampering. The lack of a definitive
"no vote" allows vendors and election officials to assert that votes
were "not cast" when in fact votes have actually been lost. This
situation
is becoming more prevalent with the introduction of multiple recording
devices within the voting machines, and no real way to determine which
storage unit has the "correct" data. It is unfortunate that the U.S.
Green Party believes that the "none of the above" option is contrary
to their interest in promoting proportional balloting, since they are
among the most vocal opponents of this effective auditing requirement.

I was
requested by the Democratic Recount Committee to provide a sworn
affidavit regarding the necessity of a hand recount in the disputed
Florida precincts. The testimony was presented as part of the
defense
brief in the 11th Circuit Court of Appeals, Atlanta, November
17, 2000. The document is linked here
as a pdf file, and can also obtained through direct request to the
11th Circuit Court. Reference to this affidavit was made in Brief
in opposition for respondents Gore et al. in Nos. 00-836 and 00-837 to
the U.S. Supreme Court.

In August of
2002 I testified in behalf of the Plaintiff requesting a recount in
Florida 15th Circuit Court Case No. CA-02-3667-AE Emil P. Danciu v.
Theresa LePore in her Official Capacity as Palm Beach County Supervisor
of Elections, Boca Raton City Canvassing Board, Palm Beach County
Canvassing Board, Susan Haynie, and Bill Hager. Footage of my
demonstration showing that a selection could inadvertently be made
without actually pressing the touchscreen at the candidate's name
location, aired on 60 Minutes. Also revealed during the warehouse
investigation was the fact that these voting machines were never
manually checked for all combinations of candidate selections during
the pre-election testing process.

During 2007,
Florida outlawed the use of touchsreen voting (having previously
outlawed the hanging chad punchcard systems) and now uses optical
scanning throughout the state. Unfortunately, in 2004, Florida also
outlawed the right of voters or candidates to be allowed to audit the
electronically-generated results via a manual recount. (This may have been
partly in response to a federal lawsuit by their 19th District Congressman Robert Wexler
and Palm Beach County Commissioners Burt Aaronson and Addie Green,
citing the equal protection clause of the U.S. Constitution and
claiming that it was unconstitutional for 52 counties in Florida to
have
a means to conduct a recount, while the 15 touchscreen counties could
not perform one.) Thus there is no way to
independently confirm that the scanners have been programmed correctly,
are not experiencing anomalous conditions (such as treating certain
types of ink as invisible), and have not been tampered with (as Hari
Hursti showed can alter vote totals). See http://onlinejournal.com/evoting/060305BBV/060305bbv.html
for further details. For all of these reasons (plus others related to
voter disenfranchisement), Florida continues to get an F in election
integrity.

New Jersey

From
2004-2006, I provided pro bono assistance for the Guciora v. McGreevy
lawsuit, which protested the use of paperless DRE voting machines in
the State of New Jersey on constitutional grounds. The Plaintiff's Complaint
and Brief
can be found at the links here. I submitted extensive written
testimony on October 16, 2004 that described numerous flaws with
electronic voting systems (lack of provability, malfunctioning that
disenfranchises voters, less accuracy, vulnerability to insider
attacks, lack of transparency, improper vendor responses to software
flaws, inadequate certification, lack of independent ballot audit, and
vendor misrepresentation). My testimony in the remand hearing before
Hon. Linda Feinberg, Superior Court of New Jersey, Law Division, Mercer
County, largely focused on the inability of the vendors to provide a
voter verified paper ballot add-on to the DRE equipment that could be
Federally certified for use, in time for compliance with the newly
enacted New Jersey law requiring same by January 1, 2008. Based on
Judge
Feinberg's findings, the Appellate Division decided to remand the
matter to the Law Division in order to monitor compliance with the new
legislation. Although testimony by numerous individuals was presented
by Plaintiffs, the only comments noted in the Appellate
Division Opinion were mine, pertaining to the issue that there were
factors independent of the VVPAT that would make it unlikely that the
AVC Advantage DRE would meet the 2002 FEC standards requirements by
December 2007. As I had predicted, and despite monitoring by the Court,
the VVPATs indeed were not ready by 2008 and the Attorney General
issued two 6-month extensions for compliance, also to no avail.

In the
meanwhile, a trial was scheduled and the Court ordered the State and
vendor to supply voting machines and source code for examination.
Information about the review and testimony in the 2009 (and earlier)
hearings can be found at Professor Andrew Appel's website
and also at the Freedom
to Tinker blog. On February 1, 2010, Judge Feinberg ruled that the
voting machines must be reevaluated to determine whether they are
"accurate and reliable" and required that additional safeguards should
be put in place to discourage tampering. The statement, which noted
"there is simply no evidence to conclude that absent complete access,
coupled with malicious intent to alter the results of an election, the
voting machines have failed to correctly and accurately count every
vote cast" also indicated that all voting systems have vulnerabilities,
so New Jersey's unauditable machines seem (at least to the Court) to be
no worse than other methods (such as those involving paper ballots).
Unfortunately, the ruling did not go far enough to require that the
VVPAT law in the state be complied with, so that there might be some
actual proof that the machines were correctly and accurately counting
every vote cast (or not). And so it goes. Personally, I have felt
strongly that the Plaintiffs' team was missing the boat by focusing on
hacking rather than the Constitutional aspects of assuring verification
and transparency in the election process. Nothing is really proven by
such attack demonstrations, other than that they could potentially
occur -- since independent examinations of the equipment directly
following the elections are routinely
prohibited, we'll never be able to show that tampering was afoot. The
greater likelihood is that malfunctions and misprogramming actually
will (and do) occur. These we have plenty of evidence of, and only with
voter verified paper ballots is it possible to recover from and
mitigate such problems. Perhaps someone else will try to sue on these
grounds, when evidence of machine failure eventually surfaces.

I was asked
to provide comment on New Jersey's draft Criteria for Voter-Verified
Paper Records for DRE voting machines. My response is attached here.
The final version of the State Criteria is posted at http://www.njelections.org/voter_verified_paper_record_criteria.html
. The Attorney General's reports, also available via this website, in
which she (perhaps conveniently?) declines to certify the VVPRS (paper
ballot attachments) for the Sequoia Advantage and Edge DREs, is very
curious, since the AG's office argued in behalf of Defense in the
lawsuit noted above. The Sequoia Advantage DREs are used in 18 of NJ's
21 Counties. You might think that since the AG did certify VVPRS for
two other vendors' voting machines, the Judge might have required that
these be used instead of the Sequoias, but no. Hmmm.

If you vote
in New Jersey, here's what you can do. NJ has a absentee
option where citizens can register to receive paper ballots in the
mail. You will need to re-register as an absentee each year, but it is
a great alternative to using the paperless DREs. Don't trust the Post
Office? If you take your ballot to the County Election Office and drop
it off there (in its sealed envelopes) during their business hours
(extended to the close of polls on election day), you'll know that at
least your vote choices have reached the tabulation center, which is
something that the DREs cannot assure. In case of recounts (which do
happen in NJ) these ballots are the only ones that can actually be
checked without computer intervention.

Writings by Rebecca MercuriThis section includes formal papers, commentary, articles, and other
relevant materials on voting and computer security. The PDF
versions for some of these writings may be more suitable for producing
handouts.

"Electronic Vote Tabulation Checks
& Balances," Ph.D. dissertation, defended October 27, 2000 at
the School of Engineering and Applied Science of the University of
Pennsylvania, Philadelphia, PA. The title link here takes you
to the thesis defense announcement and abstract. UPenn's Computer and
Information Science Department has (without permission) archived the
University Microfilms version of my thesis at http://www.cis.upenn.edu/grad/documents/mercuri-r.pdf
and it can be downloaded (for free) there. You can also obtain a copy
of
the thesis through UMI/Proquest by sending an email to
disspub@proquest.com -- the thesis number is 3003665. They
various archival quality formats (hardbound, softbound unbound,
microfiche, and microfilm) of the original double-spaced 235-page
document, they can take credit-card orders, and I'll receive a small
royalty. Those who are manufacturing or evaluating voting systems will
find it helpful to consider two additional lists of questions I
developed as part of this thesis research. Some of the wording closely
follows the Common Criteria, whose Level 4 assessment I have
recommended as a minimum benchmark for voting system
security. Further information about the Common Criteria can be
found at http://www.niap-ccevs.org/cc-scheme/
.

*"Voting
into Vapor," Craig Lambert, Harvard Magazine, November-December
2004, Volume 107, Number 2. This succinct piece provides insight into
the mathematics behind the voting system problem, in terms that a
layperson can readily understand.

*"Election Reform and Electronic Voting Systems
(DREs): Analysis of Security Issues," (PDF),
Eric A. Fischer, Congressional
Research Service, The Library of Congress, November 4, 2003. A
well-balanced overview of voting security threats and vulnerabilities
along with an assessment of strengths and weaknesses of potential
solutions.

"Usability
Review of the Diebold DRE system for Four Counties in the State of
Maryland," (PDF),
Benjamin B. Bederson, Paul S. Herrnson, University of Maryland, 2002.
This study, conducted prior to the Fall primaries, provides an early
indication of machine failures with the Diebold equipment (used in
Georgia as well as Maryland).

*"Secret-Ballot Receipts and Transparent
Integrity," (PDF),
David Chaum, Draft, May 2002. Chaum, the inventor of eCash, describes a
unique method where voters can positively confirm their ballots, both
at the polling station and also after the election, to be sure
they are correctly entered into the tallies, without revealing their
choices. This groundbreaking work may eventually form the basis
of secure and auditable future elections.

*"Opening a Can of
Electronic Chad," Bill Sterner, Carol Schiffler. A position piece
against touch-screen voting from the Citizens for Legitimate
Government. http://www.legitgov.org

*"Voting and
Technology," Bruce Schneier, Crypto-Gram, December 15, 2000. http://www.schneier.com/crypto-gram.html
(Also read his explanation in the 2/15/01 issue about why Internet
voting is not possible, and his scathing comments about iBallot.com's
proprietary voting technology claims in the 3/15/01 issue. In the
9/15/02
issue, this expert again confirmed his opposition to Internet
elections.)

*"Disenfranchised by design: voting systems and
the election process," Susan King Roth, Information Design Journal,
Volume 9, No. 1, 1998. (This early study examines usability issues in
various election systems, with the conclusion that newer technologies
are not necessarily an improvement for voters.) The pdf can be accessed
via: http://www.informationdesign.org/downloads/doc_roth1998.pdf

*"Reflections on
Trusting Trust," Ken Thompson, Communications of the
ACM, Vol. 27, No. 8, August 1984. This important Turing Award lecture
explains precisely how it is possible to conceal nefarious programming
such that it will never be found in a source code inspection.

A Bit of Levity

"Digital Democracy,"
Mark Fiore, February 4, 2004. (A fun animation depicting what we are
getting with paperless voting systems. Wait a minute or so for it to
load, don't press back or next.)

"We
guarantee the outcome," Summer, 2003. (If someone told
me I'd be referring folks to Larry Flynt's website, I would have
laughed, but this parody is great, and G-rated to boot!)

I have
created
a private email group which I am using to send messages regarding
updates to this website and other announcements about relevant
articles,
conferences, legislative activities, election litigation and my
upcoming
talks and media appearances. The group is "send-only" so replies go
only
to me, not to the other group members. Announcements are sporadic,
typically
only a couple per month. If you are interested in joining, send an
email
to:

NotableVoting-subscribe@topica.com

Then follow
the instructions in the reply message that you will receive, and I will
place you on the list. If you join topica (although you don't need to
do this to be a mailgroup member), you can review all of the prior
messages in the NotableVoting history list at their
website. If you tire of the list, you can remove yourself from it by
sending a message to NotableVoting-unsubscribe@topica.com and your
address will be deleted.

Additional Links

The wealth of materials at these
sites may be helpful to those who are interested in voting technology.
The links here are in no particular order and should not be construed
as endorsements. As web pages and hosts can change rapidly, I take
absolutely no responsibility for the content and/or reliability
of these links.